DFARS 7021 Clause 2.0: DoD Releases Proposed Rule Updating CMMC Clause
Client Alert | 2 min read | 08.20.24
On August 15, 2024, the Department of Defense (“DoD”) released the long-awaited proposed rule (“August 2024 Proposed Rule”), updating Defense Federal Acquisition Regulation Supplement (“DFARS”) Clause 252.204-7021 (the “7021 Clause”), which, when final, will initiate the phased implementation of Cybersecurity Maturity Model Certification 2.0 (“CMMC”) requirements into DoD contracts. The Clause will require every defense contractor that handles Federal Contract Information (“FCI”) or Controlled Unclassified Information (“CUI”) to assess and certify compliance with select CMMC security requirements. The August 2024 Proposed Rule introduces several distinct changes to the 7021 Clause published by DoD in January 2023, including:
- Instructing Contracting Officers to fill in the required CMMC Level in each in-scope DoD contract.
- Requiring contractors to “maintain the CMMC level required by [the] contract for the duration of the contract for all information systems” that handle FCI or CUI.
- Requiring contractors to notify the Contracting Officer within 72 hours if there are any “lapses in information security” or changes to the status of the CMMC certification—including in self-assessment certification.
- Requiring contractors to affirm “continuous compliance” on an annual basis or when changes to the status of their CMMC certifications occur.
- Requiring that contractors “ensure” that subcontractors have current CMMC certificates or self-assessments at the required flowdown level.
Heightened cybersecurity requirements and greater scrutiny on compliance will increase risks and potential consequences for defense contractors, particularly in the context of the Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act litigation. Thus, contractors need to be prepared for the upcoming implementation of CMMC. Comments on the proposed rule will be accepted for 60 days.
The 7021 Clause has been dormant during the CMMC rulemaking process, but DoD has stated that it will become active and begin appearing in DoD contracts when the August 2024 Proposed Rule is finalized. However, it is likely that not all contractors will be required to fully comply with all CMMC requirements immediately. The August 2024 Proposed Rule affirms that, as outlined in DoD’s December 2023 CMMC Proposed Rule, CMMC requirements are slated to roll out to contractors in phases over a three year period.
Contacts
Insights
Client Alert | 8 min read | 09.24.25
The Transportation Security Administration (TSA) recently proposed an expanded role regulating unmanned aircraft systems (UAS), or drones. On August 7, 2025, the Federal Aviation Administration (FAA) and TSA published a joint Notice of Proposed Rulemaking (proposed rule), titled Normalizing Unmanned Aircraft Systems Beyond Visual Line of Sight Operations (BVLOS). Through this landmark proposed rule, the FAA and TSA aim to provide industry with a clear path forward for streamlined UAS operations for a variety of purposes, including package delivery, agriculture, aerial surveying, civic interest (public safety), and flight testing. Comments on the proposed rule are due October 6, 2025.
Client Alert | 4 min read | 09.23.25
A Special Relationship Reboot? The US-UK Tech Prosperity Deal
Client Alert | 7 min read | 09.23.25
Client Alert | 2 min read | 09.23.25
The Other PFAS Shoe Drops: EPA Will Retain and Defend Its CERCLA PFAS Regulation